Troopers15 – Third Round of Talks Selected

As we promised some days ago here’s the third round of Troopers15 speakers (first one here, second here). It’s going to be awesome!

Andreas Lindh: Defender Economics         FIRST TIME MATERIAL

Synopsis: There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them.
This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Bio: Andreas Lindh is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he’s not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.


Marco Slaviero & Azhar Desai: Weapons of Mass Distraction – Sock Puppetry for Fun & Profit

puppet: (noun) – a false online identity used for deceptive purposes

There have been many discussions online about governments making use of sock puppets on social media sites (and on the Internet in general) to sway popular opinion. Keen observers have spotted military RFP’s calling for the creation of sockpuppet-control software or recruiting groups of students to fill this space. Recent Snowden revelations reveal that GCHQ’s JTRIG has been largely dedicated to such tasks, but there has been little talk of it in information security circles. We hope to change that.
While many intuitively agree that sock puppets could be used for distraction (or mass trolling), very little can be said conclusively about such attacks, in part because they have not been widely scientifically demonstrated & measured. We hope to change that.
In this talk, we aim to briefly cover the background of sock puppets (and related attacks) before moving on to real world demonstrations & “attacks“. Rigging polls, abusing Twitter, causing Reddit riots & targeting popular news organisations are some of the (many) attacks covered. In all these cases we discuss what we tried, what worked, what didn’t and what the implications are of the attacks. Where possible we will cover defences and solutions.
So, if you are interested in a glimpse at “Censorship 2.0? or just want to learn how to troll people on Reddit, you should attend this talk.

Marco Slaviero is the lead researcher at Thinkst. Marco has presented research at conferences all over the world on topics ranging from timing attacks to python shellcode. He is rumoured to harbor a personal dislike for figs.
He gave gave the “Cache on delivery” talk at Troopers11. At Troopers10 he gave “Clobbering the Cloud“, the 1st talk ever discussing real-life vulnerabilities in public cloud platforms.

Azhar Desai is a researcher at Thinkst. He’s fresh from a masters degree filled with mostly computer science and a dash of math. He regularly trounces Marco at “go” and aspires to not ever knowing his place.


Friedwart Kuhn: How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise – An Approach Based on Real-World Expertise         FIRST TIME MATERIAL

Synopsis: Credential theft and Pass-the-Hash (PtH) attacks are nowadays current threats to Active Directory environments. This is not simply due to Microsoft´s implementation of weak protocols (i. e. LM, NTLMv1, WDigest) but mainly due to Single-Sign-On (SSO) functionality requirements in multi-authentication protocol environments. The official statement of Microsoft is now “assume
breach”. But – assuming breach – how should you efficiently protect your Active Directory from credential theft and large scale compromise? In order to perform this task, operationally feasible
solutions will be presented and concisely characterized upon the background of so called ‘green field’ controls which could often not be implemented due to a gap to real-word operation (as for
example “Rebuild your Active Directory”). It will be shown that there is a way and what it looks like, but that this way is a (probably) long-term process that requires the implementation of
organizational/operational changes together with some important technical controls. Going that way may lead to a sustainable and secure operation of Active Directory environments defeating
credential theft and PtH attacks at the root.

Bio: Friedwart Kuhn, working at ERNW, is a renowned expert for Active Directory security and has performed a huge number of projects both in the concept and design space and in the pentesting and incident analysis field.
Amongst others, he has authored whitepapers on end point security solutions, on hardening Active Directory and several Windows related security technologies.


Dmitry Chastuchin & Alexander Polyakov: Hacking Fortune 2000th CEO’s mobile – Security of SAP Mobile Infrastructure        SAP Security Track

Synopsis: Have you ever thought how to get access to most influential data stored on a Fortune 2000 CEO’s mobile phone and rule the world? Today, we are witnessing unprecedented number of Mobile devices being integrated into the core business processes of companies and actively being accessed by top Executives to manage them remotely. Another aspect being the level of access, even if mobile access for a typical middle level employee is restricted or limited, CEO’s can do everything! There are more and more business applications and an increasing number of mobile devices out there. The “mobilization” of enterprises also forces the advent of evils associated with integration and security.
You might hear of many talks regarding mobile security but never has anything significant related to a SAP Mobile ecosystem been spoken on before. These systems access most essential functions of a large enterprise, which in turn often deploy a plethora of business systems and heterogeneous fleet of devices. Essentially, Information needs to be transmitted quickly and safely. The SAP’s best-known software products are its enterprise resource planning, CRM and BW applications that are deployed in almost all companies in the Forbes Global 2000 list.
You already hear a lot about vulnerabilities in different SAP’s platforms and now the new emerging scenario dictates that even their Mobile infrastructure needs to be paid a closed attention. It consists of multiple systems such as SAP Mobile Platform (Formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database and hundreds of SAP’s mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk is an attempt to highlight how one can hack SAP Mobile.

Alexander Polyakov: Founder of ERPScan, President of project, accomplished R&D professional and Entrepreneur of the year. He is an expert at security for business-critical software like ERP, CRM, SRM and industry specific solutions. He has received due recognition having publishing over 100 vulnerabilities, as well as multiple whitepapers, such as annual award-winning “SAP Security in Figures”, surveys and a book devoted to information security research in SAP and Oracle. He has presented at more than 50 conferences in 20+ countries in all continents and held training sessions for the CISOs of Fortune 2000 companies, including SAP SE.
At the time of Troopers10 (!) he already presented “Some notes on SAP Security” and at Troopers14 they spoke about “Injecting evil code in your SAP J2EE systems: Security of SAP Software Deployment Server“.

Dmitry Chastuchin is a Director of security consulting at ERPScan. He works upon SAP security, particularly upon Web applications and JAVA, HANA and Mobile solutions. He has official acknowledgements from SAP for several vulnerabilities found. Dmitry is also a WEB 2.0 and social network security geek and bug bounty who found several critical bugs in Google, Nokia, Badoo. He is a contributor to the EAS-SEC project. He spoke at the following conferences: BlackHat, Hack in the Box, DeepSec, and BruCON.


Rodrigo Branco & Gabriel Barbosa: Modern Platform-Supported Rootkits         FIRST TIME MATERIAL

Synopsis: Talks on modern rootkit techniques are often presented in conferences around the world, but most of them basically updates existing techniques to work with new kernel improvements. This talk goes beyond and proposes a new approach: the usage of many architectural (x86-64) capabilities in order to have a resilient malware.   Different aspects of the architecture are going to be explored and detailed in order to demonstrate attacker leverage against detection tools.  Most of those features are widely available.  Some of them, are niche or fairly new enhancements.  Each new idea will be discussed isolated with specific details demonstrated and discussed.  After this talk, we expect the attendees to increase the pressure on the forensics tools in order to provide better coverage on platform capabilities, instead of the current assumptions we see.


Rodrigo Rubira Branco (BSDaemon) works as Principal Security Researcher at Intel Corporation and is the Founder of the Dissect || PE Malware Analysis Project. Held positions as Director of Vulnerability & Malware Research at Qualys and as Chief Security Research at Check Point where he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPC Architecture. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America. He is an active contributor to open-source projects (like ebizzy, linux kernel, others). Accepted speaker in lots of security and open-source related events as H2HC, Black Hat, Hack in The Box, XCon, VNSecurity, OLS, Defcon, Hackito, Ekoparty, Troopers and others.

Rodrigro has contributed to every single Troopers edition since the inaugural event in 2008, with a number of cool talks (incl. “Into the Darkness: Dissecting Targeted Attacks” and “Dynamic Program Analysis and Software Exploitation“), with a legendary keynote at Troopers13 (video here, Rodrigo starts at 8:30) and last but not least during the parties (he’s said to have quite some compromising pictures in his possession…).

Gabriel Negreira Barbosa works as a security researcher at Intel. Previous to that he worked as a security researcher of the Qualys Vulnerability & Malware Research Labs (VMRL). He received the Msc title by Instituto Tecnológico de Aeronáutica (ITA), where he also worked in security projects for the Brazilian government and Microsoft Brazil.


More talks to follow soon, so stay tuned ;-).

See you @Troopers & Happy Holidays! to everybody










Leave a Reply

Your email address will not be published. Required fields are marked *